Skip to main content

Escaped echo

Use {{ $expr }} to output a value safely. Lex routes every expression through htmlspecialchars with ENT_QUOTES | ENT_SUBSTITUTE and UTF-8 encoding, so special characters like <, >, ", and ' are converted to their HTML entities before being written to the page. 
<h1>{{ $post->title }}</h1>
<p>Author: {{ $post->author->name }}</p>
<span>Tags: {{ implode(', ', $tags) }}</span>
Use escaped echo for all user-supplied or untrusted data. It is the right default for the vast majority of output.

Raw (unescaped) echo

Use {!! $expr !!} to output a value without any HTML escaping. The expression is inserted into the page as-is. 
<div class="article-body">{!! $post->htmlBody !!}</div>
Only use raw echo with content you fully control. Passing untrusted user input through {!! !!} creates an XSS vulnerability — an attacker can inject arbitrary HTML or JavaScript into your page.

Template comments

Lex reuses HTML comment syntax for template comments. Any content inside <!-- ... --> is stripped at compile time and never appears in the rendered HTML source, not even as an empty comment node. 
<!-- This comment is erased before the page is served -->

<!--
  Multi-line comments work too.
  Useful for disabling a block during development.
-->

<p>This paragraph is rendered normally.</p>
Because comments are removed during compilation, they are invisible to browsers and source-view tools — unlike standard HTML comments, which are sent to the client.

Escaping the # character

Prefix # with a backslash to output a literal # without triggering directive parsing. 
<code>\#truncate($text, 60)</code>
This renders as: 
<code>#truncate($text, 60)</code>
Only \# immediately followed by a letter is treated as an escape sequence. A standalone backslash or \#123 (where # is followed by a digit) is output as-is.

Build docs developers (and LLMs) love

Get started for freeTalk to us